Monday, February 15, 2016

He followed that one up with another related post, Just Browsing. See also his Invasion of Privacy post for browser fingerprinting and some perspective on “private/incognito” browsing session tracking.

The identification that (in some cases) your cellphone carrier could be adding extra headers to your smart-device information requests is not shocking in this day and age. But that it could contain (leak) your personally identifiable cell phone number was quite a surprise!

Consumer Cellular has agreements to use T-Mobile and AT&T networks. If my cellphone uses the T-Mobile network, then no extra headers are added to my HTTP requests. However, if my phone uses AT&T's network, then AT&T appends a lot of personal information to every HTTP request:

X-Att-Imsi: This is my International Mobile Subscribed Identity and is unique to my phone.

X-Att-Plmn-Id: This contains my MCC+MNC code; that's the mobile country code (MCC) and mobile network code (MNC). These values identify the country and carrier. For example, MCC 310 is the United States, and MNC 410 in the United States is Cingular Wireless (now AT&T).

X-Up-Calling-Line-Id: This contains my cellphone number. Seriously: AT&T sends my direct cellphone number to every website my phone visits. Looking over my web server logs, I see other people who have been through this same path. Thanks to AT&T, I have direct phone numbers for people in Portland, Oregon and Cincinnati, Ohio and Roanoke, Virginia and... I'm actually surprised that my cellphone hasn't received more telemarketer calls.

X-Up-Subno: This very-disturbing field includes a timestamp that shows when (down to the second) I signed up with Consumer Cellular.

Running several tests with my cellular devices (with Wi-Fi disabled to force the data cross AT&T’s network) came back “clean” of any PII meta data; at least as far as this particular test was able to detect.

Media eXperience Analyzer (MXA) is a visual performance analysis tool that enables engineers to optimize performance and quality of Media scenarios on Windows devices. MXA enables a broader range of performance engineers to infer meaningful information from a large amount discrete event data by representing events visually and providing powerful filtering capabilities. MXA is utilized to optimize quality, performance, and latency of the following scenarios:

Oh my! Did my Glasswire “repair” bork my system? Did taking down the security perimeter allow an attack to penetrate?

Doubtful. Once I clicked “OK” 46 times Task Scheduler would load and otherwise seemed OK. And the system would boot and run just fine. These errors were encountered only when loading up Task Scheduler.

Dijji explains exactly what happened on the main page…and it’s no surprise: my failed Windows 10 upgrade and rollback caused the issue.

In particular, it fixes problems where opening the Task Scheduler, or trying to configure Windows Backup, results in the message "The task image is corrupt or has been tampered with" (0x80041321).

Searching the web reveals that this message has been seen from time to time, and the (rather laborious) set of steps that can be taken to correct it are fairly well-documented (see here and script for it here).

However, it turns out that reverting to Windows 7 from Windows 10 generates this problem in spades. It can leave more than 40 scheduled tasks in a corrupt state (see this thread). This is because many task registry keys and the task definitions to which they refer are updated by a Windows 10 upgrade, but only the registry keys are restored on reversion, so Task Scheduler finds that, for these tasks, the task registry keys and task definitions are now inconsistent.

So basically, the Windows 10 upgrade adds a bunch of additional scheduled tasks to the system, but when you roll-back, they are not all removed. Then you get the errors.

Classy, Microsoft.

Dijji’s Repair Tasks Utility In Action

Fortunately, brilliant and clever community folks like Dijji are around to do the hard work and create solutions to mop up the mess left in isle 4.

After reading all of Dijji’s project documentation I went through the process and quickly had all my corrupted tasks restored, the ones I didn’t need removed, and Task Scheduler working normally again.

Click the repair Button. (most or all of the tasks should be repaired now. If not, go to step 10.

Click the Radio button> Take tasks from backup

Click Scan for a list of the remaining corrupted files.

Click Repair again.

You will get a pop-up window asking where the RepairTasks.zip is located-- the file you created AAAAATASK, which should be on the very top – of course, as reason for the name of the file.

You can test by running Both Scans and if you do not get anymore lists of files. Boom! You are done.

Yep that is pretty much it.

After I did my first scan for issues I saved the results in a TXT file; that is where I got the list of 46 issues I opened up this post with. Super handy.

I then ran the “Repair” routine which almost instantly fixed 41 of them, leaving 5 remaining as seen below.

I then attempted a repair of those remaining five tasks from the offered “Windows7 Tasks.zip” file provided and did a second repair. That did the trick!

When I was all done and subsequent reboots confirmed a normal Task Scheduler again, I ran a scan one last time and then chose a “Backup Tasks” routine to tuck these away in case this happens again. That way I can rely on my own system.

GSD Tip: If you do decide to do a Windows 7 to Windows 10 upgrade, be sure you take your own manual backups, set some system restore points, and also use this took to take a backup of your Tasks for good measure.

I think Dijji could be selling his project features just a bit short and recommend also highlighting it as a “regular” Task Scheduler backup tool, not just as a “repair” tool.

In the end I found Registry Finder the easiest to work with for this particular task.

I did a search in it for “Glasswire” and it came back with quite a lot of related keys still left over. I first exported these then I deleted them and rebooted the system. Nothing seemed harmed so I proceeded.

For step 6.3 I ended up “restoring” my original settings by choosing the “None – Remove all protection” option of CryptoPrevent.

My thought on temporarily disabling all of these were that perhaps some protection was blocking the proper installation/registration of the Glasswire service.

I then installed the latest version of Glasswire and it went on with no issues, connected to the Glasswire service, and the graph starting working normally again.

Hurray!

I re-enabled all the protections and rebooted.

Glasswire worked normally again.

Mischief managed.

Or was it?!! For another purpose I had to go into my “Task Scheduler” and was suddenly flooded with a long series of pop-ups like this for LOTS of different tasks. Oh SNAP!

Come back for Episode 2 – in which Task Scheduler’s “The task image is corrupt or has been tampered with.” error is assessed, understood, and vanquished!

It should update to the latest build from the CI server so does give you a more up-to-date version. "More functional" is harder to say, it might have more features but one you rely on might get accidentally broken. We'd hopefully spot that and get it fixed quickly but OLW is only going to check once per day that you restart the app.

Basically, know that if you are on the CI builds then you might get broke. The good news is that if that happens, uninstalling the app (making sure the reg keys get deleted) and installing the latest version from openlivewriter.com will get you back onto the stable build if something goes really badly wrong.

Having a certain amount of folks running on the latest build would be really helpful in case something got broke that we wouldn't have otherwise noticed, but please only do it if you are comfortable with living on the edge a little more.

However reliably getting you OLW nightlies using the registry tweak method (currently) could be problematic as developer “willduff” explains:

Problem is that we haven't bumped the version number. Right now the nightly version number is the same as the public release version number, so your local copy thinks its already up to date and skips re-downloading the same version. Let me see if its safe to bump the version number now...

One more thing to note, if you do go test those builds out that I linked to in issues #224 and #247, and you leave CheckForBetaUpdates = 1, then you'll actually get auto-upgraded to the nightly because I bumped the version. So, if you want to test those builds properly, you'll want to set CheckForBetaUpdates = 0 temporarily.

GSD Testing Tip: This is a good point -- so what I did was to export that Registry key in both states with different names. This way I can “toggle” the beta update check “on” (CheckForBetaUpdates = 1) or “off” (CheckForBetaUpdates = 0) depending on what I want to do.

So Claus, what’s the result on your system using the latest OLW nightly (build listed as 0.6.0.0 and file timestamps from 02/13/2016)?

The “Set categories” feature is working wonderfully now. At first my drop list was still blank but I hit the “refresh” button at the top and after a moment they all populated. Looks just like the original WLW feature.

Spelling was folded into this build as well. But…there seems to be a limitation at the moment.

It isn’t working on my Windows 7 system and that feature is grey’ed out.

No there isn't. This is PR is to get the spell check back up and running using the Windows spell check API (Win8 and later). Win7 will need to be addressed separately with an API that has it's own dictionaries.

Displaying USB Devices using WMI - Windows PowerShell Blog. Jeffrey Snover’s post did get me the output I was looking for, but I then needed to clean it up just a bit as I only wanted the “USB Mass Storage Device” information.

Filtering PowerShell Objects - PowerShell content from Windows IT Pro. This was the final bit in giving examples how I could filter for just the one line I needed.

If anyone can “refine” the code or filter it more to just pass on the Serial Number string itself, I would be grateful for any recommendations.

Using PowerShell’s gwmi or the Command WMIC call are powerful ways to get system information.

Here are some additional examples that I’ve collected trying to puzzle out my own particular USB Mass Storage device query technique that could be helpful to sysadmins:

One of the most important utilities that I use weekly is the Universal Extractor from LegRoom.net.

It has a very large version of supported formats for archive unpacking but hasn’t been updated in a very long time.

I’ve manually updated some of the included binaries from time to time, but the Inno Setup Unpacker file is the one I need updated regularly. I get it from innounp and overwrite the older version in my bin folder. Current version as of the time of this release is 0.45 and supports Inno Setup versions 2.0.7 through 5.5.7 for all your unpacking needs.

I was excited to learn about a project to try to update not just the various unpacker binaries but the application itself.

I previously reported this on my the struggles GSD post but am reposting here for topic inclusion.

The takeaway was to quit Process Explorer. I’ve seen a few other software installations where I have needed to close out Process Explorer entirely to make sure it doesn’t get in the way of some installations. Weird.

Of course, iTunes wanted to be updated, so I used the Apple Software Updater but it complained about the “iPod Service” not being able to start so the install kept failing. I then tried to download and run the iTunes package rather than using the updater but that failed at the same point.I found this post Service ‘iPod Service’ (iPod Service) could not be installed... over in the Apple Support forums and followed “rickybpta” steps.

close SysInternals's Process Explorer ( if you have it and it's open )

I had purchased a Yeti Blue USB microphone a while back to up my audio recording game. I had hoped to be able to eventually use it with my iPad/iPhone but there were some challenges reported so I’ve just stuck it out with my Windows 7 laptops where it has done a rocking-cool job of upping my audio game. Couple that with Audacity and The Levelator from The Conversations Network and while I am no audio-engineer, I can do a fine good job for most recording needs.

I need to update this post Claus’s iPhone App List - Updated 01/2014 as I’ve gone through some serious changes with the iOS apps I carry. I have purchased more than a few as well…so they must be that good! “Hey Siri! Remind me to update that post!”

Round – Apple App Store – Because Due doesn’t currently handle recurring reminder events of less than a day (that I am aware of), you can’t yet use it to set medication dosing reminders. This looks to be designed specifically for that need.

Mighty Timer – Apple App Store – free app to help with brewing your tea. Alvis and her husband gave Lavie and I some very nice porcelain cups along with some fancy Matcha style tea. It has to be brewed very carefully but is super good!

The /reportnow function is a very tricky beast, and it somewhat requires an understanding of the natural behaviors of the WUAgent.

When the WUAgent performs activities, it queues up all of those completed activities as 'events'. When the WUAgent quits working, an idle timer is engaged, and when the WUAgent has been idle for ~20 minutes, it invokes a call to the ReportingWebService. You can see these calls in the WindowsUpdate.log and compare their timestamps with the entries just previous.

If the /reportnow action is invoked after the WUAgent becomes idle and before the regular call to the ReportingWebService, an immediate call to the ReportingWebService will be invoked. You can also see this in the WindowsUpdate.log.

However, the call to the ReportingWebService is not the end of the line. Those events reported in that call are loaded into a buffer, and the WSUS server then processes those events asynchronously. If the WSUS server is also busy doing other things or other clients are also reporting at the same time, there will be an additional delay until the results are visible in the WSUS console.

The real thing to remember is that, at best, the /reportnow task isn't going to save you much more than 20-30 minutes, so usually just waiting is the more efficient approach to the whole thing.

When run from the command prompt on a client in the form of "wuauclt.exe /resetauthorization /detectnow", this command will kick off a manual check in with the configured WSUS server (or WindowsUpdate website, if you're using that instead of WSUS). You can verify this occurs by opening the windowsupdate.log file located in the Windows directory.

If you manually run wuauclt.exe with the above listed switches, it will check in with WSUS, and then behave based on your update configuration, either configured locally on each client, or through Group Policy. So, if you have your clients configured to download any available updates, it will do so. Or, if you have your clients configured to just check in and inform you there are updates without downloading, it will do that also.

The windowsupdate.log file, located on the individual clients, will have all the information pertaining to how wuauclt runs on their individual systems.as commented by John

2. wuauclt /resetauthorization /detectnow -- this is actually a special case version of the previous command. The /resetauthorization parameter forces the targeting cookie to be immediately expired. Normally the cookie has an ~60 minute expiration. Typically this form of the command is used when server-side targeting is being used, and a client system has just been reassigned to new group(s) via the WSUS console. Use of this command forces the WUAgent to discard any previously known group memberships and to requery the WSUS server for the current memberships. This command should also be used when the SusClientID has been deleted and a detection was performed within the previous hour to ensure the WUAgent does not use the SusClientID that is cached in the targeting cookie. Also note that the order of these parameters is critical -- the /resetauthorization flag must be the first of these flags on the command line.

3. wuauclt /reportnow -- IF a recent event has completed and there are PENDING EVENTS to be reported to the WSUS server, this command will force the immediate flushing of that reporting event queue. If there are no pending events to be reported, this command does nothing.

No other parameters are supported or documented -- although many are defined in the source code and have been extracted via reflection. Some of them have experimental functionality, but should not be used in a production environment.

The EMET 5.5 registry has been refactored in order to make it easier to manage EMET settings via Group Policy. To convert settings from previous versions of EMET (including EMET 5.5 Beta) to EMET 5.5, use the provided converter.

You still can’t seem to “upgrade” to the new version. I had to uninstall the previous EMET version (after exporting the custom settings I have). Then I installed the new version and imported my XML file back in.

It seems to be running just fine on our Windows 7 and 8.1 systems.

And yes, I do live dangerously and run it concurrently with Malwarebytes Anti-Exploit in a “yes I will run with scissors and you can’t stop me” sort of attitude.

I could blame the significantly reduced GSD blog posting on competing time drains of late:

Downton Abbey on PBS

Friday Night Curling televised matches

Sysadmin work at the church-house

Deep-dive problem solving for some pernicious Windows issues

Multiple projects at work

Tech-fatigue

Providing more quality time to family and friends

All of those do compete quite strongly with my blogging time.

However after considerable reflection, I must put the greatest challenge against the shut-down of the Microsoft Live Writer application (via the Google blogger API changes) and the painful switch to Open Live Writer.

Is this process a deal-breaker…of course not, but the steps required have kinda taken some of the free-form blogging away and made it a more deliberate exercise. That could be a Good Thing ™ but it does take away the spontaneity from the process.

Living in Houston’s greater-Metro area would lead one to think that there are a lot of great e-waste disposal locations to pick from. Well there are but most all of them are on the other side of the greater-Metro area from where I live.

Luckily, Goodwill will let me drop off my older computer equipment at any of their area stores (one is just 10 minutes away from home) and ship it (if needed) to their main computer sales store. Sweet.

I’ve got a Compaq Presario V2575US Notebook PC that runs OK but probably could use a new battery and definitely needs a new A/C brick.

There is also a Gateway MA3 laptop that I’ve had a A/C plug resolder service done on the mainboard. The solder cracked again, but it might be good for parts…or someone willing to do a mainboard swap.

I’ve got several old PCI and AGP video cards.

I’ve got a few old PATA HDD’s that are less than 500 GB in size. I still have an old PATA external drive enclosure but it already has a 500 GB drive in so there isn’t much sense on holding onto any of the others I’ve “collected” over the years. They will be wiped and donated too.

I found Lavie and my old Palm Pilot III’s. Now I’ve got to figure out if I can charge them somehow and wipe them. Oh the memories of early PIM/PDA technology.

I’m still not quite ready to part with my Shuttle SK41G. It’s like a child for some reason. Since I now have a USB-DVD player, I should be able to dump the very slow (but working) Win 7 OS and finally try out LXLE Desktop on it. Sadly, my new Raspberry Pi 2 seems faster than the Shuttle and is whisper quiet.

I’ve got two Samsung 930B flatscreen monitors. They work great but really can’t seem to handle the “modern” resolutions that most systems display at now-days. I’ve considered donating them as well but since they support both DVI and VGI inputs, they might still be handy troubleshooting display issues with laptops or other systems…so those will hang around for a bit longer. Just in case.

I think that is the hardest part to get past as a techie. Experience has taught me that there is just a chance that I might encounter a situation where a piece of older hardware might come in handy. So it is tempting to hold on to things that aren’t really needed.

Credits

Why this? It is the simple blog of a Last Exile fan and is intended to express the enjoyment we derive from studio Gonzo's production. Although we closely relate with those characters, we aren't them in real life. We just want to keep the memory of these incredible young kids alive. So go buy Gonzo's Last Exile DVD's!